Server certificate confusion

Nick Howitt nick at howitts.co.uk
Tue Apr 17 15:35:22 CEST 2018



On 17/04/2018 13:55, Alan DeKok wrote:
> On Apr 17, 2018, at 5:24 AM, Nick Howitt <nick at howitts.co.uk> wrote:
>> Replying to my own post.
>>
>> There was a permission problem which I've now fixed, but I still get failure:
>> eapol_test:
>>
>>    (6) eap_tls:   ERROR: SSL says error 26 : unsupported certificate
>>    purpose
>    That means that the certificate hierarchy is wrong.  i.e. cert A has created cert B, but cert A doesn't have OIDs which say it's allowed to create sub-certificates.
>
>    Newer versions of OpenSSL check these settings.  Older versions of OpenSSL didn't do that.
>
>    How did you create the certificates?  The scripts in the raddb/certs directory should work, so using those would probably help.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the reply. The distro, ClearOS is working in a slightly funny 
way. The CA is created from (adjusted expanding the variables with the 
config file):
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep 
default_days /etc/raddb/certs/ca.cnf | sed 's/.*=//;s/^ *//'` -config 
/etc/raddb/certs/ca.cnf

It is a little tortuous with how it gets here, but it is using the 
default ca.cnf file using freeradius-3.0.13-8.el7_4.x86_64. Checking the 
generated CA, I see:
             X509v3 Basic Constraints: critical
                 CA:TRUE

  Nick



More information about the Freeradius-Users mailing list